Transcription

1 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca, Morocco ABSTRACT LET P, Q BE TWO LARGE PRIMES AND N=. WE SHOW, IN THIS PAPER, THAT IF 2 WHERE IS THE BIT-SIZE OF AND N, THEN WE CAN COMPUTE EFFICIENTLY THE INTEGERS AND IN AT MOST COMPARISONS. OUR APPROACH CAN BE USED TO BUILD ATTACKS AGAINST RSA OR RABIN CRYPTOSYSTEMS. KEYWORDS Integer factorization problem, RSA, Rabin cryptosystem, Public key cryptography. 1. INTRODUCTION Factoring large integers is a central issue in cryptography. No efficient deterministic algorithm is known. Widely used cryptographic protocols like RSA [1], Rabin [2] system or Saryazdi [3] digital signature rely on this fact. In many cryptosystems, each user must randomly choose two large prime numbers and to produce his own keys. These integers have to be sufficiently large to ensure that it is not computationally possible for anyone to factor the modulus =. Generally, the running time for generating primes takes the most important part in the total running time. Menezes and all. [4, p. 133] give several algorithms for prime number generation and primality testing. Also, in [5], the authors made experimental tests and concluded by suggesting some rapid procedures. In literature, there exist various integer factorization methods, but they are not efficient. The oldest and simplest one is the trial divisions. Fermat [6, p. 143] proposed a technique for factoring integers that are product of two primes which are close to one another. The continued fraction algorithm [7] was developed in Some decades later, John Pollard conceived his 1 and methods [8,9] respectively in 1974 and At the end of 1970s, with the advent of the public key cryptography [10,1,2], integer factorization problem becomes of crucial importance. Numerous papers, proposing ingenious and sophisticated methods, were published. Pomerance [11] discovered the quadratic sieve algorithm in Less than two years later, Lenstra [12] suggested to factor large numbers by means of finite elliptic curves. Today, the fastest known algorithm is the General Number Field Sieve (GNFS) [13, p. 103]. It was invented by Pollard in 1988 and allows to factor natural integers with more than 110 digits. Stinson [14, p. 232] has DOI : /ijitmc

2 evoked the possibility of factoring the RSA modulus if the two factors are too close. In 1999, Boneh and al. [15] described a polynomial time algorithm for factoring = when the exponent is large. Some years later, in 2007, Coron and May [16] presented the first deterministic algorithm for factoring the RSA modulus in polynomial time, but they used the public and the secret key pair (, ). Our work is devoted to present original results related to integer factorization problem. Indeed, we improve many statements established in two previous articles [17,18]. Furthermore, our approach can be used to build attacks against cryptosystems like RSA [1], Rabin [2] or Saryazdi digital signature [3]. The paper is organised as follows. In section 2, we recall the main facts stated in papers [17] and [18]. In section 3, we present our own results and we conclude in section 4. Throughout all the sequel, we will use standard notations. In particular N is the set of all natural integers 0,1,2,3, and N = N {0}. The largest integer which does not exceed the real is denoted by. It is also the integer part and the floor of. Thus we have < + 1. The bit-size of a positive integer is the number of bits in its binary representation. So, the bit-size of is = 2 with every {0,1} and = 1. Moreover, the bit-size of satisfies the relation2 < 2. Two positive integers and are said to be co-factors of if =. We start by recalling some known results. 2. PRELIMINARIES In this section, we recall results established in 2008 and 2010 and described in papers [17] and [18]. More precisely, we review sufficient conditions under which one can factor = where, are co-factors not necessary prime but close to each other. For the sake of completeness, we give all the proofs. First we present a statement published in [17]. Before that, we need the following lemma. Lemma 1. [17] Let < be two elements of N and let, denotes the number of perfect squares such that <. Then we have:, < + 1. Proof. Consider the set = { N }. Since is also N, its cardinality is + 1, and then, =. If we put = and = which means that < + 1 and < + 1, we obtain and < 1. Hence, = < + 1 = + 1. The following theorem was one of the main results in paper [17]. Theorem 1. [17] Let N be a composite integer whose bit-size is. If its two prime factors and satisfy the inequality: then we can compute them efficiently. 2 (1) 2

3 Proof. Without loss of generality, we assume that 2 < <. As the prime factors and are odd, we put = + 2 where N. Since =, + = ( + ). By relation (1), 2. It follows that = 2 and then 2. Let = + where > 0. We have >. By Lemma 1, the number, of perfect squares between and satisfies the inequality, < + 1. We deduce that, < + 1. The bit-size of is, so 2. Thus 2 2. Therefore, < + 1 = 2. However, is an integer, so, = 1 This means that the only perfect squares between and is = + = ( + ). But the first perfect square greater than is = ( + 1). This allows us to compute the factors and. Indeed, since = is a perfect square, = ( )( + ). Then, we have = and = +. Hence = + 1 and = Now we move to results published in paper [18]. But first, we give two definitions. Definition 1. [18] Let N be a composite integer. The minimal distance ( ) of is the smallest distance between its co-factors: Next fact is easy to prove. ( ) = {,, N, = } (2) Theorem 2. [18] For every composite integer N, there exists a unique couple (, ) of divisors of such that = and ( ) =. Definition 2. [18] Let N be a composite integer. The unique couple of positive integers (, ) such that = and ( ) = is called the weak decomposition of. For all the proofs below, we denote by = the odd natural integer to be factorized where (, ) is its weak decomposition and ( ) is its minimal distance as stated in relation (2). For simplicity, we assume that 2 < <. We also define = + such that = ( ) = 2, N since is odd. According to previous notations, it is readily seen that = ( + ). Observe that as > 0, >. Furthermore, we let, be the number of perfect squares between and. The next theorem was the main result in [18]. In the sequel, the term comparison means the operation consisting of checking if a given natural integer is a perfect square or not. Theorem 3. [18] For every composite odd integer N whose bit-size is, if there exists a number such that the minimal distance of verifies: ( ) 2 (3) then one can find the weak decomposition of in at most 2 comparisons. Proof. By Lemma 1, since, is the number of perfect squares such that <,, < + 1 < + 1. On the other hand, by relation (3) ( ) 2, so 2. As is the bit-size of, 2. We obtain, <. + 1 < Since, is a 3

4 natural integer, it is clear that, 2. The only 2 perfect squares immediately greater than are ( + ), 1 2. As + is a perfect square between and, there exists necessary an integer {1,2,, 2 } such that: + = ( + ) This relationship implies that: = + ( + + ). If we put = + and = + +, then = 2 = ( ). Therefore the couple (, ) is a weak decomposition of. However, by Theorem 2, = and = which ends the computation of the two factors and. We find by making at most 2 comparisons since {1,2,, 2 }. In the following section, we improve and extend the main results established in papers [17] and [18]. 3. OUR RESULTS In this section, we present our main contribution by extending Theorem 1. First, we need a slightly modified version of Lemma 1. Lemma 2. If < are two elements of N and if, denotes the number of perfect squares such that <. Then we have: 1 <, < + 1 (4) Proof. The right inequality in relation (4) was proved in Lemma 1. It is not difficult to see that, =. If we put = and = which means that < + 1 and < + 1, we obtain > 1 and. Hence, = > 1 = 1which ends the proof. Note that we also have, < 1. Throughout the sequel, we make use of the following lemma. Lemma 3. Let be a composite odd integer. The first natural integer such that + is a perfect square is exactly,. Moreover, if one can compute,, then it is possible to find the weak decomposition of. Proof. The number of perfect squares between and is,. Thus, the perfect squares such that < have the form +, 1,2,,,. The largest one is +,. Hence, we must have = +,. Therefore +, is a perfect square. The first assertion is then proved. In order to justify the second one, assume that we know,, Since + = +,, we deduce that = +, ( +, + ). Let = +, and = +, +. As = 2 = ( ), the couple (, ) is a weak decomposition of. Consequently, by Theorem 2, = and = which ends the computation of the two co-factors of. 4

5 Now, we give our first main result: an extension of Theorem 1. Theorem 4. For every composite odd integer N whose bit-size is, if there exists a positive number such that the minimal distance of verifies: ( ) 2 (5) then one can find the weak decomposition of in at most comparisons. Proof. As ( ) 2, = ( ) = 2, and then 2. Since by Lemma 1,, < + 1, it follows that, < + 1. Therefore, < + 1. But, is a natural integer, so,. By Lemma 3, in order to compute,, one must determine the first positive integer,, such that + is a perfect square. Thus, for this purpose, we need at most comparisons. By the same Lemma 3, once, is known, we are able to find the weak decomposition of. Remark 1. Our result is also an improvement of Theorem 3 from paper [18] by taking = 2, N. Theorem 4 leads to the following efficient algorithm where comments are delimited with braces. Algorithm: Input: A composite odd positive integer. Output: The weak decomposition (, ) of. 1. input( ); { is the composite natural integer to be factored} 2. 1; {We initialise the value of in relation (5)} 3. 0; {The program ends when flag becomes 1} 4. while = 0 do 4.1. ( 1) + 1; {We initialise the value of. We look for such that + is a perfect square} 4.2. while and = 0 do ; ; if is a perfect square then {Here = + } ; ; { is the first co-factor of } ; { is the second co-factor of } ; {We stop the program since is factored by previous instructions} output (, ); {The algorithm computes the weak decomposition of } ; {We increment } ; {We enlarge the coefficient such that 2 } Next corollary improves Theorem 4 if more information is known. 5

6 Corollary 1. For every composite odd integer N whose bit-size is, if is the smallest positive integer such that: ( ) 2 (6) with < 2, then we can determine the weak decomposition of in at most ( ) comparisons. + 1 Proof. We proved in Theorem 4 that, <, let us here show that, ( ). The bitsize of is, so 2 and then 2 2. By hypothesis (6) = ( ) 2. We assumed that < 2, so 2 < 2. Therefore < 2. The fact that is the bit-size of leads to < 2 and then 2 < 2. This implies that + 2 < 2. 2 = 2. So we obtain >. Recall that is the smallest integer which satisfies inequality (6). That means ( ) > ( 1)2. As = ( ), > ( 1)2 and then > ( 1) 2. By Lemma 2,, > 1. Hence, > ( ) 1 = ( ) 1. Since, is an integer, we must have, ( ) ( ). We proved that,. By Lemma 3, to compute,, we have to determine the first integer such that + is a perfect square. We are sure ( ) that. It is clear that we will need at most ( ) + 1 comparisons. Then, by the same Lemma 3, knowing,, we can find the weak decomposition of. Example 1. Let us take n = as in paper [19]. With the help of Maple software, the first positive integer for which + is a perfect square is j = 370.Therefore the two factors of are p = 6907 and q = On another hand, the first natural integer such that ( ) 2 is N = 21, and we check that is belonging to the interval ( ),. In the next result, we improve Theorem 3 under certain assumptions. But, first we need the following theorem. Theorem 5. For every composite odd integer N whose bit-size is, if we can find a natural integer and a positive real such that: 2 < ( ) 2 (7) with 2 < + 1, then one can find the weak decomposition of in at most comparisons. Proof. In the proof of Theorem 3, we have seen that, 2. Now we show that, 2. As is bit-size of, 2 and then 2 2. Since ( ) 2, = ( ) 2. By hypothesis 2 < + 1, thus 2 < 2. Therefore < 2. Moreover, is the bit-size of, so 2 < 2. It follows that + 2 < 2. 2 < 2. We then get >. Since, by 6

7 relation (7), ( ) > 2, we have = ( ) > 2. So, we deduce that > 2. By Lemma 2,, > 1. Therefore, > 1. Finally, we obtain, > 1 > 2 1. But, is a integer, so, 2. We proved that 2, 2. By Lemma 3, the integer, verifies that +, is a perfect square. That means that in order to compute,, one must checks if + is a perfect square for such that 2 2. Obviously, we need at most comparisons. Then, by the same Lemma 3, once we know,, we can find the weak decomposition of. The following corollary, our second main result, slightly improves Theorem 3 [18]. It reduces the number of comparisons to perform. Corollary 2. For every composite odd integer N whose bit-size is, if we can find the smallest positive integer such that: ( ) 2 (8) With 2 < + 1, then one can find the weak decomposition of in at most comparisons. Proof. We share the value of the exponent of the first term in relation (7) into two part: x = x (3 + 2x). Since is the smallest positive integer that satisfies the inequality (8), ( ) ( ) > 2. Therefore, in order to apply Theorem 5, we must have 3 + 2x = 2(l 1). In other words, =. Hence, the assertion is proved. The following theorem enlarges the bound in relation (3) without adding much cost. Theorem 6. For every composite odd integer N whose bit-size is, if there exists a positive integer such that the minimal distance of verifies: ( ) 2 +2 (9) with 2 < + 5, then one can find the weak decomposition of in at most comparisons. Proof. For simplicity, let = 2. So the hypothesis (9) becomes ( ) < 2 +. As = ( ), 2 +. Therefore, it is clear that The bit-size of is, so <. Since, by Lemma 1,, < + 1, we have:, < If we substitute with its value, then we get, < Recall that, is an integer, so, Consequently, by Lemma 3, in order to find a natural integer such 7

MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,

Factoring a semiprime n by estimating φ(n) Kyle Kloster May 7, 2010 Abstract A factoring algorithm, called the Phi-Finder algorithm, is presented that factors a product of two primes, n = pq, by determining

Runtime and Implementation of Factoring Algorithms: A Comparison Justin Moore CSC290 Cryptology December 20, 2003 Abstract Factoring composite numbers is not an easy task. It is classified as a hard algorithm,

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public

Number Theory and Cryptography using Minh Van Nguyen nguyenminh2@gmail.com 25 November 2008 This article uses to study elementary number theory and the RSA public key cryptosystem. Various commands will

MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. Consider the Jacobian of a genus two curve defined over a finite field and with complex multiplication.

A Security Flaw in the X509 Standard Santosh Chokhani CygnaCom Solutions, Inc Abstract The CCITT X509 standard for public key certificates is used to for public key management, including distributing them

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION by Takayuki Yato A Senior Thesis Submitted to Department of Information Science Faculty of Science The University of Tokyo on

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma Please Note: The references at the end are given for extra reading if you are interested in exploring these ideas further. You are

Continued Fractions Darren C Collins Abstract In this paper, we discuss continued fractions First, we discuss the definition and notation Second, we discuss the development of the subject throughout history

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

On the Efficiency of Fast RSA Variants in Modern Mobile Phones Klaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark Abstract Modern mobile

Today s Topics Primes & Greatest Common Divisors Prime representations Important theorems about primality Greatest Common Divisors Least Common Multiples Euclid s algorithm Once and for all, what are prime

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly

Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.